Last week, the Seattle Public School District (“SPS”) sent out a notice that a law firm it had retained to handle a complaint on its behalf inadvertently delivered information of about 7,400 special education students. Information contained within the files not only included date of birth, school assignment, and grade, but it also included student identification numbers, special education assignments, disability categories and special education transportation information. SPS went on to state that “[r]elease of this information is of great concern” – but is it?

When it comes to data governance, the unauthorized release of mission-critical data, more-often-than-not, involves the conduct of a third-party. Organizations, like SPS, are so concerned about their internal protocols that they forget to examine their external processes. That is usually where the holes in an organization lie, and leaders fail to set a tone at the top on how to deal with third-party vendors. Up until the date of disclosure, did the SPS have a proactive process in place for how third-party vendors attested to their own data governance programs? Usually, the vendor will ask what protocols SPS would like for them to have in place, but the real question should be what safeguards do they have in place. If they are not willing to share that information, then SPS has the financial muscle to seek out another law firm.

For years now, I have spoken with colleagues in the legal profession over the necessity of implementing a data governance program for their law practice. The overwhelming response, to date, is one that most would probably not expect from practicing lawyers who have an ethical duty to keep client information confidential – that being one of apathy. The reason for this is two-fold: (1) the business benefit is hard to realize for most lawyers in the profession since a majority of firms are made up of less than 10 practitioners; and (2) the mindset of a lawyer is that their training has provided them with a suitable talent to react to any material adverse effect on their practice.

Last week, the Seattle Public Schools sent out a notice that it has “severed” its relationship with a law firm over that firm’s handling of mission critical information. In responding to a complaint filed against the Seattle Public School District (“SPS”), the law firm inadvertently delivered personally identifiable information of about 7,400 special education students. Although the information was inadvertently delivered to only one person, SPS felt that it needed to take corrective action and dismiss the law firm of Preg O’Donnell & Gillett from representing the school district in the complaint. Preg O’Donnell & Gillett, who have offices in Seattle, Portland, and Anchorage, did not respond to request by the media to be interviewed. A review of the law firms website would show that there are 7 members of the firm, all of whom would presumably have authority to create and implement a data governance program for the firm, especially if there are multiple offices throughout the region.

Data Governance is, and always will be, a “tone at the top” issue, and a paradigm shift in the legal profession needs to take place. Due to the average size of most law firms, much like any small business in America, hiring full-time IT staff cost-prohibitive, but a data governance program is not just about technology, it’s also about PEOPLE and PROCESSES. Law firms, and small businesses alike, have an ethical obligation to keep their proprietary data confidential. Start by training and educating your staff and clients at least twice a year on proper safeguard protocols – this is one proactive way to keep clients and therefore make money. From there, firms can assess and review exactly what other protocols need to be implemented internally and externally, as there is no one-size-fits-all approach to data governance.

Breaches of an organizations critical infrastructure, specifically its cyber-infrastructure, have become a daily recurring problem for businesses and governments worldwide. Allegations of the Chinese military hacking into IT networks of American businesses and organized criminal enterprises setting up lucrative black market schemes permeate the mainstream media market.

When a breach of mission-critical data occurs, should the victimized entity (i.e. business, government, etc.) be required to disclose that an incident has occurred? Reality is that most organizations, even if required to by law, do not disclose that a breach of their cyber-infrastructure has occurred, not to law enforcement and especially not to the general public at-large. The reasons for non-disclosure are numerous (i.e. loss of investor confidence; fear of class action litigation; loss of goodwill; lack of internal/external controls; etc.).

The New York Times recently held a forum on whether businesses should be required to disclose data breach incidents? The following are excerpts from that discussion (I have provided a brief response as well):

Lauren Gelman, Attorney – Ms. Gelman believes that it is important to share intrusion details and forensic data from breaches of mission-critical data. She substantiates her position by making a public policy argument that the public has a right to know if a company has been hacked so they can determine what is the right amount of investment in cyber-security research and response. Hackers exploit commonly known vulnerabilities in technology, and therefore targeted victims should take a “comfort in the herd” approach and share what they know with others. She is in favor of regulation, because it is a “collective action problem.” It is very tough to provide a one-size-fits-all solution to cyber-security. Organizations are uniquely individual in every aspect of their functionality, and it is not necessarily comforting to be a part of a herd when there are a pack of wolves surveying your collective weaknesses (i.e. like shooting fish in a barrel).

Alexander Tabb, Consultant – Mr. Tabb posits that disclosure “telegraphs” the weaknesses or lack of controls within an organization, and therefore leaves a company open for more attacks. Mr. Tabb is quick to point out that executives of publicly traded firms (and I would add private ones too) still have an obligation to respond to incidents against their critical infrastructure (they just do not have to publicly disclose the incident). Good try at creating an antagonistic viewpoint, but the “ethical” argument is tough when it comes to an executive’s number one objective – exceeding shareholder expectiations.

Jacob Olcott, Policymaker – Mr. Olcott states that a business is built so much on good will and intellectual property these days that stakeholders (or potential stakeholders) have a right to know if the organization can adequately keep their secrets secure. Good point, but it is hard to find a correlation between data loss and stock price (i.e. TJ Max had a huge data breach, and their stock price has bounced back; I am unaware that Heartland Payment Systems went out of business; or Sony’s PlayStation is no longer being sold). In other words, the perception is that companies can rehabilitate themselves if a data breach occurs.

Lee Tien, Attorney – Not surprisingly, Mr. Tien suggests that data breach notification laws should become more enhanced so as to provide affected persons sufficient time to identify the signs that their privacy may be, or become, compromised. Public disclosure gives the general public at-large a greater perspective on the cyber-security problem, and allows for a collective response. More laws – that’s how we attorney’s keep going. I would argue that MORE LAWYERS need to be adequately trained to help their client’s find proactive solutions to cyber-security, not reactive solutions through litigation.

Baruch Fischhoff, Professor – Mr. Fischhoff offers a clinical opinion in which he states that questions of risk and decision-making are complicated, and rather than numb the public into hysterics, simply tell them what they need to know (i.e. how big is the risk?; Is the individual personally vulnerable?). The “ignorance is bliss” argument. This seems a bit paternalistic, and masks the problem.

Joseph Lorenzo Hall, Technologist – The last member of the forum, Mr. Hall, posited that the underlying dilemmas of cyber-security are complex, because there is an interaction of social, technological and institutional problems. Disclosure does not get to the “underbelly” of data security, and instead we should focus on creating a common social understanding of how to keep people and systems safe when interacting with networks and computers. Agreed. However, this is the 800 lbs elephant in the room, and the only way to eat the elephant is one bite at a time (but, determining what part to eat first is critically important).

Where does your organization fall in this discussion? Where should it fall in this discussion?

The New York Times reported that login credentials of a Dropbox employee were stolen from an unrelated hacking incident, and led to a spam attack within its own network. The incident occurred when hacker’s used a stolen password to log into the Dropbox employee’s account that had content which contained Dropbox user information. From that point, the hacker’s launched a spam attack on the e-mails contained within the account. This latest data breach highlights the value proposition for why hacker’s want to hack into data systems. As quoted in TNYT, “at first glance, [the usernames and passwords] may not appear to contain any valuable financial or personal information. Then, [the hackers] will test those credentials across the Web sites of financial organizations, brokerage accounts and, apparently, Dropbox accounts, where potentially more lucrative information may be found.”

Then, [the hackers] will test those credentials across the Web sites of financial organizations, brokerage accounts and, apparently, Dropbox accounts, where potentially more lucrative information may be found.”

When speaking to an audience regarding data governance, I am constantly having to remind the crowd that the problem is more than just updating your anti-virus, firewalls, WiFi, or encryption methods. It is about being vigilant, and educating yourself, and employees, on the latest trends in securing mission-critical information (i.e. not having a universal password for work/personal Web sites, etc.). The Dropbox incident highlights the use of universal passwords by individuals, and how hacker’s can take advantage of this to their benefit (and the user’s detriment). Human instinct relishes convenience, and we are creatures of habit – that is what adversarial actors are banking on in the 21st Century.

A lawsuit was filed in San Jose, CA, on June 15, 2012, seeking class action status against LinkedIn, Corp., stemming from the recent data breach of user passwords that ended up on a Russian Internet forum. The lawsuit filed by a Chicago-based attorney, Ms. Katie Szpyrka, accuses LinkedIn of deceiving its customers and for failing to implement adequate industry security standards for database security. The boutique law firm Ms. Szpyrka works for, Edelson McGuire, has long litigated data breach cases, and has recently won victories against Internet-based companies. The Plaintiff has demanded damages in the amount of $5 million. LinkedIn promptly responded to the lawsuit by stating the lawsuit is without merit, and that no harm was caused as a result of the data breach.

Regardless of whether the latest class action lawsuit against LinkedIn has merit, organization’s need to create a ‘tone at the top’ paradigm shift regarding how mission-critical data is secured, or risk defending lawsuits, both with and without merit.

In other data breach class action news, last week, a federal court in Nevada consolidated nine class action lawsuits filed against Amazon.com’s subsidiary, Zappos.com, for a data breach that occurred back in January 2012. These high-profile lawsuits are just a small example of how class action attorney’s are beginning to see the financial benefit of filing litigation claims in a court of law.

As a result of the rising tide of data breach class action litigation, organization’s would be prudent to adopt a paradigm shift in how they secure mission-critical data. Many industries have witnessed this same cycle of consumer protection (i.e. auto industry) – companies will create a product that causes harm on consumers; get a way with it for a while; plaintiff’s bar begins to win a few cases in court; industries try to “go it alone” without government intervention; they fail; large class action lawsuit changes the business standards/practices; and government creates/enforces laws to deal with consumer (i.e. voter) complaints.

As sure as the Sun will rise tomorrow, the cycle towards Internet regulation is in full motion. The only question is – which Internet-based company will become the next W.R. Grace?

In The New York Times today, Ms. Nicole Perlroth, started her column with “LinkedIn is a data company that did not protect its data.” This is a very powerful statement coming on the heals of a cyber-attack that posted the usernames and passwords of over 6 million LinkedIn users on a Russian Internet forum. Has the collective conscience of Internet users become so numb to the daily occurrence of data breaches, that they simply dismiss the necessity for protecting their privacy? Does privacy have a value any more?

Ms. Perlroth’s beginning statement is not as profound as what followed later in her article: “[a] company that collects and profits from vast amounts of data had taken a bare-bones approach to protecting it. The breach highlights a disturbing truth about LinkedIn’s computer security: there isn’t much. Companies with customer data continue to gamble on their own computer security, even as the break-ins increase.” As a publicly traded company, who is subject to the recently released “guidelines” on computer security by the Securities and Exchange Commission, are the corporate officers and board members liable to the shareholders for a lack of due diligence in safeguarding their most critical asset? Do the shareholder’s even care about the data leakage?

The article rightfully points out that because the legal consequences are minimal at best, and that the harm caused as a result of the breach is negligible (they didn’t lose any customers), the ability for shareholders to make a claim against the board of directors or corporate officers is a tough standard to overcome (the stock price went up after the data breach announcement). So where does the necessity to secure mission-critical data begin and end? Have we become immune to our private information being stolen? Is having my information stolen, really my problem?

“Computer security is not regulated and even as loads of sensitive personal, corporate and financial data gets uploaded daily, companies continue to skimp on basic protections. If 5 percent of airplanes in the United States crashed tomorrow, there would be investigations, lawsuits, a cutback in air travel and airlines’ stock prices would most likely suffer.” – The New York Times, June 11, 2012

In recent days, high-profile social media companies LinkedIn and eHarmony disclosed that data from their IT systems have been exploited, via a cyber-attack, and the information obtained from the hack was placed on Russian Internet forums. LinkedIn estimated that approximately 6.46 million passwords were hacked, and are advising all users to update/change their login credentials. In response to the latest data breaches, I am providing business owners with some simple suggested best practices for having a secure online experience:

1. Never provide your Social Security Number to anyone, unless you have initiated the request.

2. Do not provide your Social Security Number in e-mails, checks, gift cards, etc., unless required by law.

3. Never use the same password twice.

4. Choose your security questions carefully.

5. Store passwords somewhere safe.

6. Install firewalls and encryption software throught your business and home IT systems.

7. Never leave your computer unattended.

If you, or business, becomes a victim of identity theft or computer fraud, then immediately contact your local law enforcement officials, FBI, or your local Department of Justice office. It is also advisable to contact an attorney to understand what your rights and responsibilties are in cooperating with law enforcement personnel.